Allow setting TLSv1.3 as minimum TLS version

OBS-URL: https://build.opensuse.org/package/show/server:mail/dovecot23?expand=0&rev=69
2020-04-29 21:26:47 +00:00 · 2020-04-29 21:26:47 +00:00 · c112b436c3
commit c112b436c3
parent 21a5cd0499
3 changed files with 54 additions and 0 deletions
--- a/allow-tls1.3-only.patch
+++ b/allow-tls1.3-only.patch
@ -0,0 +1,43 @@
+Index: dovecot-2.3.10/src/config/old-set-parser.c
+===================================================================
+--- dovecot-2.3.10.orig/src/config/old-set-parser.c
+++ dovecot-2.3.10/src/config/old-set-parser.c
+@@ -171,7 +171,7 @@ static int ssl_protocols_to_min_protocol
+ 					 const char **error_r)
+ {
+ 	static const char *protocol_versions[] = {
+-		"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2",
+		"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3",
+ 	};
+ 	/* Array where -1 = disable, 0 = not found, 1 = enable */
+ 	int protos[N_ELEMENTS(protocol_versions)];
+Index: dovecot-2.3.10/src/lib-ssl-iostream/iostream-openssl-common.c
+===================================================================
+--- dovecot-2.3.10.orig/src/lib-ssl-iostream/iostream-openssl-common.c
+++ dovecot-2.3.10/src/lib-ssl-iostream/iostream-openssl-common.c
+@@ -9,6 +9,16 @@
+ #include <openssl/err.h>
+ #include <arpa/inet.h>
+ 
+/*
+ * SSL_TXT_TLSV1_3 is not defined in the openssl headers up to 1.1.1g.
+ * Define it here as no other part of the code uses those defines.
+ *
+ * https://github.com/openssl/openssl/pull/6720
+ */
+#ifndef SSL_TXT_TLSV1_3
+#define SSL_TXT_TLSV1_3 "TLSv1.3"
+#endif
+
+ /* openssl_min_protocol_to_options() scans this array for name and returns
+    version and opt. opt is used with SSL_set_options() and version is used with
+    SSL_set_min_proto_version(). Using either method should enable the same
+@@ -23,6 +33,8 @@ static const struct {
+ 	{ SSL_TXT_TLSV1_1, TLS1_1_VERSION, SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 },
+ 	{ SSL_TXT_TLSV1_2, TLS1_2_VERSION,
+ 		SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 },
+	{ SSL_TXT_TLSV1_3, TLS1_3_VERSION,
+		SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2 },
+ };
+ int openssl_min_protocol_to_options(const char *min_protocol, long *opt_r,
+ 				    int *version_r)
--- a/dovecot23.changes
+++ b/dovecot23.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Wed Apr 29 21:25:30 UTC 2020 - Marcus Rueckert <mrueckert@suse.de>
+
+- add allow-tls1.3-only.patch:
+  Allow setting TLSv1.3 as minimum TLS version 
+
+  https://github.com/dovecot/core/pull/126
+
 -------------------------------------------------------------------
 Fri Mar  6 11:14:00 UTC 2020 - Arjen de Korte <suse+build@de-korte.org>

--- a/dovecot23.spec
+++ b/dovecot23.spec
@ -143,6 +143,8 @@ Source11:       http://pigeonhole.dovecot.org/releases/%{dovecot_branch}/%{dovec
 Source12:       dovecot23.keyring
 Patch:          dovecot-2.3.0-dont_use_etc_ssl_certs.patch
 Patch1:         dovecot-2.3.0-better_ssl_defaults.patch
+#               https://github.com/dovecot/core/pull/126
+Patch2:         allow-tls1.3-only.patch
 Summary:        IMAP and POP3 Server Written Primarily with Security in Mind
 License:        BSD-3-Clause AND LGPL-2.1-or-later AND MIT
 Group:          Productivity/Networking/Email/Servers
@ -322,6 +324,7 @@ dovecot tree.
 %setup -q -n %{pkg_name}-%{dovecot_version} -a 1
 %patch -p1
 %patch1 -p1
+%patch2 -p1
 gzip -9v ChangeLog
 # Fix plugins dir.
 sed -i 's|#mail_plugin_dir = /usr/lib/dovecot|mail_plugin_dir = %{_libdir}/dovecot/modules|' doc/example-config/conf.d/10-mail.conf